8238534: Deep sign macOS bundles before bundle archive is being created

Reviewed-by: erikj, clanger

8238534: Deep sign macOS bundles before bundle archive is being created
Reviewed-by: erikj, clanger
8bcf1217 · rschuenemann · 46396a3d · 8bcf1217 · 8bcf1217
隐藏空白更改
内联并排

Showing with 98 addition and 20 deletion

make/Bundles.gmk make/Bundles.gmk +90 -18

make/autoconf/spec.gmk.in make/autoconf/spec.gmk.in +8 -2

未找到文件。
--- a/make/Bundles.gmk
+++ b/make/Bundles.gmk
 #
-# Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -221,24 +221,96 @@ ifneq ($(filter product-bundles legacy-bundles, $(MAKECMDGOALS)), )
      $(SYMBOLS_EXCLUDE_PATTERN), \
      $(ALL_JRE_FILES))

-  $(eval $(call SetupBundleFile, BUILD_JDK_BUNDLE, \
-      BUNDLE_NAME := $(JDK_BUNDLE_NAME), \
-      FILES := $(JDK_BUNDLE_FILES), \
-      SPECIAL_INCLUDES := $(JDK_SPECIAL_INCLUDES), \
-      BASE_DIRS := $(JDK_IMAGE_DIR), \
-      SUBDIR := $(JDK_BUNDLE_SUBDIR), \
-  ))
-
-  PRODUCT_TARGETS += $(BUILD_JDK_BUNDLE)
-
-  $(eval $(call SetupBundleFile, BUILD_JRE_BUNDLE, \
-      BUNDLE_NAME := $(JRE_BUNDLE_NAME), \
-      FILES := $(JRE_BUNDLE_FILES), \
-      BASE_DIRS := $(JRE_IMAGE_DIR), \
-      SUBDIR := $(JRE_BUNDLE_SUBDIR), \
-  ))
+  # On Macosx release builds, when there is a code signing certificate available,
+  # the final bundle layout can be signed.
+  SIGN_BUNDLE := false
+  ifeq ($(OPENJDK_TARGET_OS)-$(DEBUG_LEVEL), macosx-release)
+    ifneq ($(CODESIGN), )
+      SIGN_BUNDLE := true
+    endif
+  endif

-  LEGACY_TARGETS += $(BUILD_JRE_BUNDLE)
+  ifeq ($(SIGN_BUNDLE), true)
+    # Macosx release build and code signing available.
+
+    ################################################################################
+    # JDK bundle
+    $(eval $(call SetupCopyFiles, CREATE_JDK_BUNDLE_DIR_SIGNED, \
+        SRC := $(JDK_IMAGE_DIR), \
+        FILES := $(JDK_BUNDLE_FILES), \
+        DEST := $(JDK_MACOSX_BUNDLE_DIR_SIGNED), \
+    ))
+
+    JDK_SIGNED_CODE_RESOURCES := \
+        $(JDK_MACOSX_BUNDLE_DIR_SIGNED)/$(JDK_MACOSX_CONTENTS_SUBDIR)/_CodeSignature/CodeResources
+
+    $(JDK_SIGNED_CODE_RESOURCES): $(CREATE_JDK_BUNDLE_DIR_SIGNED)
+	$(call LogWarn, Signing $(JDK_BUNDLE_NAME))
+	$(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" \
+	    --timestamp --options runtime --deep --force \
+	    $(JDK_MACOSX_BUNDLE_DIR_SIGNED)/$(JDK_MACOSX_BUNDLE_TOP_DIR) $(LOG_DEBUG)
+	$(TOUCH) $@
+
+    $(eval $(call SetupBundleFile, BUILD_JDK_BUNDLE, \
+        BUNDLE_NAME := $(JDK_BUNDLE_NAME), \
+        FILES := \
+            $(CREATE_JDK_BUNDLE_DIR_SIGNED) \
+            $(JDK_SIGNED_CODE_RESOURCES), \
+        BASE_DIRS := $(JDK_MACOSX_BUNDLE_DIR_SIGNED), \
+        SUBDIR := $(JDK_BUNDLE_SUBDIR), \
+    ))
+
+    PRODUCT_TARGETS += $(BUILD_JDK_BUNDLE)
+
+    ################################################################################
+    # JRE bundle
+    $(eval $(call SetupCopyFiles, CREATE_JRE_BUNDLE_DIR_SIGNED, \
+        SRC := $(JRE_IMAGE_DIR), \
+        FILES := $(JRE_BUNDLE_FILES), \
+        DEST := $(JRE_MACOSX_BUNDLE_DIR_SIGNED), \
+    ))
+
+    JRE_SIGNED_CODE_RESOURCES := \
+        $(JRE_MACOSX_BUNDLE_DIR_SIGNED)/$(JRE_MACOSX_CONTENTS_SUBDIR)/_CodeSignature/CodeResources
+
+    $(JRE_SIGNED_CODE_RESOURCES): $(CREATE_JRE_BUNDLE_DIR_SIGNED)
+	$(call LogWarn, Signing $(JRE_BUNDLE_NAME))
+	$(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" \
+	    --timestamp --options runtime --deep --force \
+	    $(JRE_MACOSX_BUNDLE_DIR_SIGNED)/$(JRE_MACOSX_BUNDLE_TOP_DIR) $(LOG_DEBUG)
+	$(TOUCH) $@
+
+    $(eval $(call SetupBundleFile, BUILD_JRE_BUNDLE, \
+        BUNDLE_NAME := $(JRE_BUNDLE_NAME), \
+        FILES := \
+            $(CREATE_JRE_BUNDLE_DIR_SIGNED) \
+            $(JRE_SIGNED_CODE_RESOURCES), \
+        BASE_DIRS := $(JRE_MACOSX_BUNDLE_DIR_SIGNED), \
+        SUBDIR := $(JRE_BUNDLE_SUBDIR), \
+    ))
+
+    LEGACY_TARGETS += $(BUILD_JRE_BUNDLE)
+  else
+    # Not a Macosx release build or code signing not available.
+    $(eval $(call SetupBundleFile, BUILD_JDK_BUNDLE, \
+        BUNDLE_NAME := $(JDK_BUNDLE_NAME), \
+        FILES := $(JDK_BUNDLE_FILES), \
+        SPECIAL_INCLUDES := $(JDK_SPECIAL_INCLUDES), \
+        BASE_DIRS := $(JDK_IMAGE_DIR), \
+        SUBDIR := $(JDK_BUNDLE_SUBDIR), \
+    ))
+
+    PRODUCT_TARGETS += $(BUILD_JDK_BUNDLE)
+
+    $(eval $(call SetupBundleFile, BUILD_JRE_BUNDLE, \
+        BUNDLE_NAME := $(JRE_BUNDLE_NAME), \
+        FILES := $(JRE_BUNDLE_FILES), \
+        BASE_DIRS := $(JRE_IMAGE_DIR), \
+        SUBDIR := $(JRE_BUNDLE_SUBDIR), \
+    ))
+
+    LEGACY_TARGETS += $(BUILD_JRE_BUNDLE)
+  endif

  $(eval $(call SetupBundleFile, BUILD_JDK_SYMBOLS_BUNDLE, \
      BUNDLE_NAME := $(JDK_SYMBOLS_BUNDLE_NAME), \

--- a/make/autoconf/spec.gmk.in
+++ b/make/autoconf/spec.gmk.in
@@ -868,10 +868,16 @@ DOCS_OUTPUTDIR := $(DOCS_IMAGE_DIR)
 # Macosx bundles directory definitions
 JDK_MACOSX_BUNDLE_SUBDIR=jdk-bundle
 JRE_MACOSX_BUNDLE_SUBDIR=jre-bundle
+JDK_MACOSX_BUNDLE_SUBDIR_SIGNED=jdk-bundle-signed
+JRE_MACOSX_BUNDLE_SUBDIR_SIGNED=jre-bundle-signed
 JDK_MACOSX_BUNDLE_DIR=$(IMAGES_OUTPUTDIR)/$(JDK_MACOSX_BUNDLE_SUBDIR)
 JRE_MACOSX_BUNDLE_DIR=$(IMAGES_OUTPUTDIR)/$(JRE_MACOSX_BUNDLE_SUBDIR)
-JDK_MACOSX_CONTENTS_SUBDIR=jdk-$(VERSION_NUMBER).jdk/Contents
-JRE_MACOSX_CONTENTS_SUBDIR=jre-$(VERSION_NUMBER).jre/Contents
+JDK_MACOSX_BUNDLE_DIR_SIGNED=$(IMAGES_OUTPUTDIR)/$(JDK_MACOSX_BUNDLE_SUBDIR_SIGNED)
+JRE_MACOSX_BUNDLE_DIR_SIGNED=$(IMAGES_OUTPUTDIR)/$(JRE_MACOSX_BUNDLE_SUBDIR_SIGNED)
+JDK_MACOSX_BUNDLE_TOP_DIR=jdk-$(VERSION_NUMBER).jdk
+JRE_MACOSX_BUNDLE_TOP_DIR=jre-$(VERSION_NUMBER).jre
+JDK_MACOSX_CONTENTS_SUBDIR=$(JDK_MACOSX_BUNDLE_TOP_DIR)/Contents
+JRE_MACOSX_CONTENTS_SUBDIR=$(JRE_MACOSX_BUNDLE_TOP_DIR)/Contents
 JDK_MACOSX_CONTENTS_DIR=$(JDK_MACOSX_BUNDLE_DIR)/$(JDK_MACOSX_CONTENTS_SUBDIR)
 JRE_MACOSX_CONTENTS_DIR=$(JRE_MACOSX_BUNDLE_DIR)/$(JRE_MACOSX_CONTENTS_SUBDIR)